b"DOE/IG-0518\n\n\n\n\n          AUDIT                    EVALUATION OF CLASSIFIED\n                                     INFORMATION SYSTEMS\n         REPORT                        SECURITY PROGRAM\n\n\n\n\n                                             AUGUST 2001\n\n\n\n\n      U.S. DEPARTMENT OF ENERGY\n     OFFICE OF INSPECTOR GENERAL\n       OFFICE OF AUDIT SERVICES\n\x0c                     U. S. DEPARTMENT OF ENERGY\n                           Washington, DC 20585\n\n                               August 30, 2001\n\n\n\n\nMEMORANDUM FOR THE SECRETARY\n\nFROM:                    Gregory H. Friedman (Signed)\n                         Inspector General\n\nSUBJECT:                 INFORMATION: Audit of the Evaluation of Classified\n                         Information Systems Security Program\n\n\nBACKGROUND\n\nAll information processed, transmitted, stored, or disseminated by or on behalf of the\nDepartment of Energy (Department) on automated information systems requires some\nlevel of protection. The loss or compromise of information entrusted to the Department\nor its contractors may affect the nation\xe2\x80\x99s economic competitive position, the\nenvironment, national security, Department missions, or citizens of the United States.\n\nIn response to the increasing threat to Federal information systems, the Government\nInformation Security Reform Act (GISRA) was enacted in October 2000. GISRA\nspecifically requires that national security or other classified information systems be\nevaluated annually by an independent organization designated by the Secretary of\nEnergy. GISRA also requires that the Office of Inspector General perform an audit of\nthis evaluation. The Department formally selected the Office of Independent Oversight\nand Performance Assurance (OA) to perform the independent evaluation of its classified\ninformation systems security program.\n\nThe objective of our audit was to determine whether the evaluation of classified\ninformation systems was performed in accordance with GISRA requirements.\n\nRESULTS OF AUDIT\n\nOverall, the evaluation of classified information systems was performed as required by\nGISRA. OA\xe2\x80\x99s \xe2\x80\x9cReport on the Status of the Department of Energy\xe2\x80\x99s Classified\nInformation System Security Program,\xe2\x80\x9d should provide the Department with reasonable\nassurance that the processes of managing and controlling classified information systems\nhave been independently evaluated. While the approach appeared to be reasonable, we\nwere unable to complete verification procedures we considered necessary because\ndocumentation to support past inspections was not always available. In addition, we\nwere unable to determine whether all inspection requirements had been satisfied because\nOA had not finalized policies and procedures to govern the conduct of cyber security\ninspections.\n\x0c                                             2\n\n\n\nWe recognize that this is the first year for this process and that OA\xe2\x80\x99s evaluation approach\ncontinues to evolve. During the coming year, we plan to work with the Office of Cyber\nSecurity and Special Reviews, a division of OA, to clarify documentation procedures and\nto better integrate the audit process.\n\n\nMANAGEMENT REACTION\n\nWe made several recommendations designed to improve the evaluation process.\nManagement concurred with our finding and recommendations and indicated that it had\ninitiated corrective actions.\n\n\nAttachment\n\n   cc: Deputy Secretary\n       Under Secretary for Energy, Science and Environment\n       Administrator, National Nuclear Security Administration\n       Acting Chief Information Officer\n       Director, Office of Independent Oversight and Performance Assurance\n\x0cAUDIT OF THE EVALUATION OF CLASSIFIED INFORMATION\nSYSTEMS SECURITY PROGRAM\n\nTABLE OF\nCONTENTS\n\n\n\n                Overview\n\n                Introduction and Objective ..........................................................1\n\n                Conclusions and Observations.................................................. 1\n\n\n                Process Improvements Necessary\n\n                Details of Finding.......................................................................2\n\n                Recommendations and Comments ...........................................4\n\n\n                Appendices\n\n                1. Scope and Methodology........................................................5\n\n                2. Office of Independent Oversight Report on the Status\n                   Of the Department of Energy's Classified Information\n                   Systems Security Program,\n                   January 2000\xe2\x80\x94July 2001 .....................................................7\n\x0cOVERVIEW\n\n\nINTRODUCTION AND   All information processed, transmitted, stored, or disseminated by or on\nOBJECTIVE          behalf of the Department of Energy (Department) on automated\n                   information systems requires some level of protection. The loss or\n                   compromise of information entrusted to the Department or its\n                   contractors may affect the nation\xe2\x80\x99s economic competitive position, the\n                   environment, national security, Department missions, or the citizens of\n                   the United States.\n\n                   In response to the increasing threat to information systems and the\n                   highly networked nature of the Federal computing environment, the\n                   Government Information Security Reform Act (GISRA) was enacted on\n                   October 30, 2000. GISRA focuses on program management,\n                   implementation, and evaluation aspects of the security of unclassified\n                   and classified information systems. It specifically requires that national\n                   security or other classified information systems be evaluated annually\n                   by an independent organization designated by the Secretary of Energy.\n                   The Department formally selected the Office of Independent Oversight\n                   and Performance Assurance (OA) as the entity to perform the\n                   independent evaluation of its classified information system security\n                   program. GISRA also requires that the Office of Inspector General\n                   perform an audit of this evaluation.\n\n                   The objective of our audit was to determine whether the evaluation of\n                   classified information systems was performed in accordance with\n                   GISRA requirements.\n\n\nCONCLUSIONS AND    Overall, the evaluation of classified information systems was performed\nOBSERVATIONS       as required by GISRA. OA\xe2\x80\x99s \xe2\x80\x9cReport on the Status of the Department\n                   of Energy\xe2\x80\x99s Classified Information System Security Program,\xe2\x80\x9d should\n                   provide the Department with reasonable assurance that the processes of\n                   managing and controlling classified information systems have been\n                   independently evaluated. While the approach appeared to be\n                   reasonable, we were unable to complete verification procedures we\n                   considered necessary because documentation to support past\n                   inspections was not always available. In addition, we were unable to\n                   determine whether all inspection requirements had been satisfied\n                   because OA had not finalized policies and procedures to govern the\n                   conduct of cyber security inspections.\n\n                                                                   Signed\n                                                         Office of Inspector General\n\n\n\nPage 1                                                       Introduction and Objective/\n                                                          Conclusions and Observations\n\x0cPROCESS IMPROVEMENTS WARRANTED\n\nOverall Evaluation   Overall, the evaluation of classified information systems was performed\nwas Reasonable       as required by GISRA. While the approach appeared to be reasonable,\n                     we were unable to complete verification procedures we considered\n                     necessary because documentation to support past inspection efforts was\n                     not always available. In addition, we were unable to determine whether\n                     all inspection requirements had been satisfied because policies and\n                     procedures to govern the conduct of inspections had not been finalized.\n\n                                              Evaluation Approach\n\n                     Rather than performing a separate review, OA elected to base its\n                     evaluation of the Department\xe2\x80\x99s classified information system security\n                     program on a series of cyber security inspections performed during the\n                     normal course of business. The Office of Cyber Security and Special\n                     Reviews, a division of OA, performed these inspections at a number of\n                     the Department\xe2\x80\x99s sites during the previous 19-month period. The report\n                     of evaluation recaps the results of those inspections and draws overall\n                     conclusions as to the appropriateness and extent of compliance with\n                     policy and current implementation efforts. It also concludes on the\n                     effectiveness of the Department\xe2\x80\x99s classified cyber security program.\n\n                     The inspections on which the report of evaluation was based appeared\n                     to be reasonable and were conducted using a comprehensive, two-tiered\n                     approach that included performance tests and programmatic reviews.\n                     Performance tests are employed to assess a site\xe2\x80\x99s current cyber security\n                     posture. Programmatic reviews evaluate the site\xe2\x80\x99s cyber security\n                     approach and sustainability of the program over time. Components of\n                     performance testing include data gathering through internal and\n                     external network scanning for vulnerabilities and attempts to use that\n                     information to gain unauthorized access and privileges to sites\xe2\x80\x99\n                     networks and computer systems by mimicking an unauthorized\n                     intrusion or attack. The programmatic portion of these inspections\n                     includes aspects of the classified cyber security program related to:\n\n                           \xe2\x80\xa2   Leadership, responsibilities, and authorities;\n                           \xe2\x80\xa2   Risk management and planning;\n                           \xe2\x80\xa2   Policy, guidance, and procedures;\n                           \xe2\x80\xa2   Technical implementation; and\n                           \xe2\x80\xa2   Performance evaluation, feedback and continuous\n                               improvement.\n\n\n\n\nPage 2                                                                    Details of Finding\n\x0c                                                   Quality Review Factors\n\n                          We also observed that the Office of Cyber Security and Special\n                          Reviews employed a number of practices designed to ensure the quality\n                          of reviews used to support their evaluation report. For example, we\n                          observed that the professional qualifications and technical skills of\n                          those assigned to reviews tasks were appropriate. During our site visits\n                          we noted that personnel involved in the cyber security evaluation\n                          demonstrated a thorough understanding of cyber security issues. We\n                          also observed that each cyber security finding or problem area noted by\n                          an OA inspection team was validated with site officials on a real time\n                          basis. Final reports were also validated by management at the\n                          conclusion of the inspection and prior to the team leaving the site.\n\n\nStandard for Evaluation   GISRA and general standards for internal control activities require that\n                          entities performing the evaluation of classified information systems\n                          satisfy several requirements. Specifically, the evaluation must be\n                          performed by an independent entity, be based on the results of tests of\n                          security control techniques for an appropriate subset of systems, and\n                          include an assessment of compliance with GISRA related policies and\n                          procedures. Standards for Internal Control in the Federal Government\n                          (GAO/AIMD-00-21.3.1) generally require that internal control\n                          activities such as those related to cyber security evaluations be\n                          documented. For instance, internal control transactions and related\n                          policies must be adequately documented and such documentation\n                          should be readily available for examination.\n\n\nSpecific Improvements     Although the approach taken and conclusions reached by OA appeared\nNecessary                 reasonable, specific improvements in the evaluation process are\n                          necessary. For example, we were unable to complete verification\n                          procedures we considered necessary because documentation to support\n                          past inspection efforts was not always available. OA could not always\n                          readily provide the supporting documentation such as network\n                          vulnerability scan results, interview and meeting minutes, and/or\n                          documentation as to the scope, methodology, or context of each\n                          classified information system evaluation. While we consider the\n                          validation process used to ensure the accuracy of each report to be a\n                          compensating control, additional documentation is necessary to support\n                          the nature, extent, and result of tests of classified information security\n                          controls.\n\n\n\nPage 3                                                                         Details of Finding\n\x0c                   In addition, we were unable to determine whether all evaluation\n                   requirements had been satisfied because policies and procedures to\n                   govern the conduct of cyber security inspections had not been finalized.\n                   Specifically, we could not always validate that the approach adopted\n                   covered critical aspects of the site\xe2\x80\x99s cyber security program. Utilizing\n                   formal policies and procedures during an inspection can provide a\n                   number of benefits. Specifically, well-developed policies and\n                   procedures permit the use of structured documentation techniques and\n                   generally provide a clear picture of the scope and context of the\n                   inspection. Using such an approach helps to simplify third party\n                   reviews or audits and ultimately enhances the overall inspection\n                   structure. While an effort to develop and formally document policies\n                   and procedures to govern the conduct of cyber security inspections was\n                   underway, the project remained incomplete at the time of our audit.\n\n\nRECOMMENDATIONS    We recommend that the Director, Office of Independent Oversight and\n                   Performance Assurance:\n\n                      1. Develop and implement a structured approach to documenting\n                         and maintaining information to support each classified\n                         information system inspection report, and\n\n                      2. Adopt formal policies and procedures to govern classified\n                         information system inspections. Such policies should cover all\n                         aspects of the inspection process and should specifically address\n                         topics such as the extent of coverage, areas of concentration,\n                         and overall review methodology.\n\n\nMANAGEMENT         Management concurred with our finding and recommendations and\nREACTION           indicated that it had initiated corrective actions.\n\n\nAUDITOR COMMENTS   Management's comments and proposed actions are responsive to our\n                   recommendations. We look forward to working with the Office of\n                   Cyber Security and Special Reviews during the coming year.\n\n\n\n\nPage 4                                             Recommendations and Comments\n\x0cAPPENDIX 1\nSCOPE         The audit work was conducted at Department Headquarters in\n              Washington, DC and the Hanford Reservation, located in Richland,\n              Washington between June and August 2001. Rather than performing a\n              separate review, OA elected to base its evaluation of classified\n              information system security program on a series of cyber security\n              inspections that were performed over the normal course of business\n              during the previous 19-month period. Therefore, the scope of our audit\n              included a review of judgmentally selected classified cyber security\n              inspection reports and the associated supporting documentation that\n              formed the basis of the evaluation. In addition, to further our\n              understanding of the cyber security review process, we observed the\n              performance of a comprehensive cyber security evaluation.\n\n              The scope of our audit was limited because we were unable to complete\n              verification procedures we considered necessary because\n              documentation to support past review efforts was not always available.\n              In addition, we were unable to determine whether all inspection\n              requirements had been satisfied because OA had not finalized policies\n              and procedures that govern the conduct of inspections. Furthermore,\n              our audit provides no assurance for those classified information systems\n              used to manage intelligence related information. As indicated in the\n              attached evaluation report, such systems were not reviewed. According\n              to GISRA, evaluation authority for such systems is vested in the\n              Secretary of Defense or the Director, Central Intelligence.\n\nMETHODOLOGY   To satisfy the audit objective we:\n\n                 \xe2\x80\xa2   Observed OA perform a comprehensive cyber security review at\n                     the Hanford Reservation;\n                 \xe2\x80\xa2   Participated in numerous discussions with OA management\n                     officials as well as cyber security officials with the Office of the\n                     Chief Information Officer (CIO);\n                 \xe2\x80\xa2   Reviewed all the reports used by OA to form the basis of their\n                     report of independent evaluation;\n                 \xe2\x80\xa2   Judgmentally sampled five reports to review the supporting\n                     documentation used by OA in their evaluation;\n                 \xe2\x80\xa2   Reviewed qualification and competencies of OA personnel\n                     performing classified information system security program\n                     inspections; and\n                 \xe2\x80\xa2   Evaluated OA organizational placement in terms of its structural\n                     independence within the Department.\n\n\nPage 5\n                                                            Scope and Methodology\n\x0c         The audit was conducted in accordance with generally accepted\n         Government auditing standards for performance audits and included\n         tests of internal controls and compliance with laws and regulations to\n         the extent necessary to satisfy the audit objective. Because our review\n         was limited, it would not necessarily have disclosed all internal control\n         deficiencies that may have existed. Also, we did not rely on computer-\n         processed data to accomplish our audit objective. Management waived\n         a formal exit conference.\n\n\n\n\nPage 6                                                              Methodology\n\x0cAPPENDIX 2\n\n\n\n\nPage 7       Office of Independent Oversight Report on the Status of\n             The DOE's Classified Information System Security Program\n\x0cPage 8\n\x0cPage 9\n\x0cPage 10\n\x0cPage 11\n\x0cPage 12\n\x0cPage 13\n\x0cPage 14\n\x0cPage 15\n\x0cPage 16\n\x0cPage 17\n\x0cPage 18\n\x0cPage 19\n\x0cPage 20\n\x0cPage 21\n\x0cPage 22\n\x0cPage 23\n\x0cPage 24\n\x0cPage 25\n\x0cPage 26\n\x0cPage 27\n\x0cPage 28\n\x0cPage 29\n\x0cPage 30\n\x0cPage 31\n\x0cPage 32\n\x0c                                                                               IG Report No. :DOE/IG-0518\n\n                                    CUSTOMER RESPONSE FORM\n\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of its products. We\nwish to make our reports as responsive as possible to our customers' requirements, and, therefore, ask that\nyou consider sharing your thoughts with us. On the back of this form, you may suggest improvements to\nenhance the effectiveness of future reports. Please include answers to the following questions if they are\napplicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or procedures of the\n   audit would have been helpful to the reader in understanding this report?\n\n2. What additional information related to findings and recommendations could have been included in this\n   report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report's overall message more\n   clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the issues discussed in this\n   report which would have been helpful?\n\nPlease include your name and telephone number so that we may contact you should we have any questions\nabout your comments.\n\nName _____________________________             Date __________________________\n\nTelephone _________________________            Organization ____________________\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at (202) 586-\n0948, or you may mail it to:\n\n                                     Office of Inspector General (IG-1)\n                                           Department of Energy\n                                          Washington, DC 20585\n\n                                        ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of Inspector General,\nplease contact Wilma Slaughter at (202) 586-1924.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly and cost\n  effective as possible. Therefore, this report will be available electronically through the Internet at the\n                                            following address:\n\n\n                  U.S. Department of Energy, Office of Inspector General, Home Page\n                                       http://www.ig.doe.gov\n\n                    Your comments would be appreciated and can be provided on the\n                           Customer Response Form attached to the report.\n\x0c"